Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
438194de19ad7eefd4762cbd6c68c991.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
438194de19ad7eefd4762cbd6c68c991.exe
Resource
win10v2004-20231215-en
General
-
Target
438194de19ad7eefd4762cbd6c68c991.exe
-
Size
771KB
-
MD5
438194de19ad7eefd4762cbd6c68c991
-
SHA1
2268cec06ea9925a86cfd4e7b824613356b169e2
-
SHA256
8fe1cb4180c5ed787e5d1583e525ddff3383edd503c4b95e14ed4655cb63412a
-
SHA512
414e1a065291a52efe37fb35cdc8b9ac5c92b5208aad551e3199f2d528c91d0e073127ac590a8653e973d8b65283f5375e82546d1e43f4c081c011be11c74465
-
SSDEEP
12288:h1cU4A1bkV1QnKMUQctX2ZQWjrBrb10VHmDXTuFaa2AtyGTKOF25ZoJJyhRge8B/:0V19MUQ87s9b10hJaothZ2/T6FBBB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4112 438194de19ad7eefd4762cbd6c68c991.exe -
Executes dropped EXE 1 IoCs
pid Process 4112 438194de19ad7eefd4762cbd6c68c991.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 5000 438194de19ad7eefd4762cbd6c68c991.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5000 438194de19ad7eefd4762cbd6c68c991.exe 4112 438194de19ad7eefd4762cbd6c68c991.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4112 5000 438194de19ad7eefd4762cbd6c68c991.exe 90 PID 5000 wrote to memory of 4112 5000 438194de19ad7eefd4762cbd6c68c991.exe 90 PID 5000 wrote to memory of 4112 5000 438194de19ad7eefd4762cbd6c68c991.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe"C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exeC:\Users\Admin\AppData\Local\Temp\438194de19ad7eefd4762cbd6c68c991.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5ae0742bc49a48417a3dce69038837f0f
SHA191b04106a6f1a7fa5d6714a14aa0c7d094ed4722
SHA2560924c5115fb909f68c91db9ccd26577cab7c00899b980d9fa704d59bae78919c
SHA512b03f57c44dceae7b46a19be60ed329b24669e157a6fe15b65730a9189a4814658376ab57475bac51f4c0dec9c53a31ddc644e9ad73b359b3cd5e918f38afa014